DATA PROTECTION
European Data Protection Board: first report on the status of implementation of the EU-US agreement (Data Privacy Framework) for the transfer of personal data from the EU to the US.
During its latest plenary, the European Data Protection Board (EDPB) adopted a report on the first review of EU-U.S. Data Privacy Framework (DPF).
The EDPB welcomes the efforts by the U.S. authorities and the European Commission to implement the DPF, and takes note of several developments that took place since the adoption of the adequacy decision in July 2023.
Regarding commercial aspects, i.e. the application and enforcement of requirements applying to companies self-certified under this framework, the EDPB notes that the U.S Department of Commerce took all relevant steps to implement the certification process. This includes developing a new website, updating procedures, engaging with companies, and conducting awareness-raising activities.
In addition, the redress mechanism for EU individuals has been implemented and there is comprehensive complaint-handling guidance published on both sides of the Atlantic. However, the low number of complaints received so far under the DPF highlights the importance of having U.S. authorities initiate monitoring activities concerning compliance of DPF-certified companies with the substantive DPF Principles.
The EDPB encourages the development of guidance by U.S. authorities, clarifying the requirements that DPF-certified companies would need to comply with when they transfer personal data that they have received from EU exporters. Guidance by U.S. authorities on human resources data would also be welcome.
Concerning the access by U.S. public authorities to personal data transferred from the EU to certified organisations, the EDPB focused; on the effective implementation of the safeguards introduced by the Executive Order 14086 in the U.S. legal framework, such as the necessity and proportionality principles and the new redress mechanism. The Board considers that the elements of the redress mechanism are in place; at the same time, it renews the call to the European Commission to monitor the practical functioning of the different safeguards, e.g. the implementation of the principles of necessity and proportionality. The EDPB also recommends that the Commission monitors future developments related to the U.S. Foreign Intelligence Surveillance Act, in particular given the extended reach of Section 702 after its re-authorisation by the U.S. Congress earlier this year.
Finally, the Board recommends that the next review of the EU-U.S. adequacy decision should take place within three years or less.
The EDPB welcomes the efforts by the U.S. authorities and the European Commission to implement the DPF, and takes note of several developments that took place since the adoption of the adequacy decision in July 2023.
Regarding commercial aspects, i.e. the application and enforcement of requirements applying to companies self-certified under this framework, the EDPB notes that the U.S Department of Commerce took all relevant steps to implement the certification process. This includes developing a new website, updating procedures, engaging with companies, and conducting awareness-raising activities.
In addition, the redress mechanism for EU individuals has been implemented and there is comprehensive complaint-handling guidance published on both sides of the Atlantic. However, the low number of complaints received so far under the DPF highlights the importance of having U.S. authorities initiate monitoring activities concerning compliance of DPF-certified companies with the substantive DPF Principles.
The EDPB encourages the development of guidance by U.S. authorities, clarifying the requirements that DPF-certified companies would need to comply with when they transfer personal data that they have received from EU exporters. Guidance by U.S. authorities on human resources data would also be welcome.
Concerning the access by U.S. public authorities to personal data transferred from the EU to certified organisations, the EDPB focused; on the effective implementation of the safeguards introduced by the Executive Order 14086 in the U.S. legal framework, such as the necessity and proportionality principles and the new redress mechanism. The Board considers that the elements of the redress mechanism are in place; at the same time, it renews the call to the European Commission to monitor the practical functioning of the different safeguards, e.g. the implementation of the principles of necessity and proportionality. The EDPB also recommends that the Commission monitors future developments related to the U.S. Foreign Intelligence Surveillance Act, in particular given the extended reach of Section 702 after its re-authorisation by the U.S. Congress earlier this year.
Finally, the Board recommends that the next review of the EU-U.S. adequacy decision should take place within three years or less.
